Machine Identity Failings Expose Firms

Nearly all IT decision makers believe that protecting machine identities is as important or more important that human identity management, but most struggle to deliver that protection, according to a new Forrester study.

The analyst firm was commissioned by Venafi to poll 350 global IT leaders about the challenges facing them from securing machine identities, which 80% said they are having difficulties with.

In this context, “machine” could mean any kind of digital entity on a network, according to Venafi vice-president of security strategy and threat intelligence, Kevin Bocek.

“This means that everything including websites software, applications, devices, even algorithms, are machines,” he told Infosecurity. “And every single one of them needs an identity in order to communicate with other machines securely.”

Unfortunately, while IAM in the context of human identities is maturing, this failure to protect digital entities represents a coming security storm.

Nearly half (47%) of respondents said protecting machine identities and human identities will be equally important to their organizations over the next 12-24 months, while 43% claimed machine identity protection will be more important.

The vast majority (70%) admitted they are tracking fewer than half of the most common types of machine identities found on their networks, including cloud instances (56%), mobile devices (49%), SSH keys (29%) and containers and microservices (25%).

This could expose them to the risk of customer and corporate data theft, process disruption, downtime and customer attrition, the report claimed.

Bocek explained that machine identity attacks typically follow one of three methods.

“In the first, hackers steal machine identities for spoofing purposes, using them to establish themselves as trusted inside a network or to move around without being detected. Last year, for example, saw over 14,000 fake PayPal sites set up by scammers abusing machine identity to help them trick unsuspecting web users,” he said.

“The second scenario sees the misuse of machine identity to cause havoc across the victim’s entire network — a classic example of this would be the 2015 Ukrainian power grid attack when Russia managed to insert a valid SSH key into the grid and used it to shut down power across the country. Lastly, stolen machine identities are also used by hackers who want either to infiltrate an organization without being noticed and exfiltrate large amounts of data, hit targets with malware such as SQL injection attacks or cross-scripting attacks or to escalate privileges.”

Mitigating machine identity attacks requires IT teams to gain visibility into the location of every digital entity on the network and ensure their keys and certificates are valid and up-to-date.

“Organizations need to automate the process of securing machine identities, since in today’s environment, they’re being created and used on a scale that only other machines can keep up with,” Bocek added. “For any mid- to large-size organization, centralizing and automating the discovery, replacement and remediation of all machine identities on a network is the only realistic defense.”